• Mauricio Faria de Oliveira's avatar
    powerpc/pseries: Fix clearing of security feature flags · e89cb4d7
    Mauricio Faria de Oliveira authored
    CVE-2018-3639 (powerpc)
    
    The H_CPU_BEHAV_* flags should be checked for in the 'behaviour' field
    of 'struct h_cpu_char_result' -- 'character' is for H_CPU_CHAR_*
    flags.
    
    Found by playing around with QEMU's implementation of the hypercall:
    
      H_CPU_CHAR=0xf000000000000000
      H_CPU_BEHAV=0x0000000000000000
    
      This clears H_CPU_BEHAV_FAVOUR_SECURITY and H_CPU_BEHAV_L1D_FLUSH_PR
      so pseries_setup_rfi_flush() disables 'rfi_flush'; and it also
      clears H_CPU_CHAR_L1D_THREAD_PRIV flag. So there is no RFI flush
      mitigation at all for cpu_show_meltdown() to report; but currently
      it does:
    
      Original kernel:
    
        # cat /sys/devices/system/cpu/vulnerabilities/meltdown
        Mitigation: RFI Flush
    
      Patched kernel:
    
        # cat /sys/devices/system/cpu/vulnerabilities/meltdown
        Not affected
    
      H_CPU_CHAR=0x0000000000000000
      H_CPU_BEHAV=0xf000000000000000
    
      This sets H_CPU_BEHAV_BNDS_CHK_SPEC_BAR so cpu_show_spectre_v1() should
      report vulnerable; but currently it doesn't:
    
      Original kernel:
    
        # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
        Not affected
    
      Patched kernel:
    
        # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
        Vulnerable
    Brown-paper-bag-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Fixes: f636c147 ("powerpc/pseries: Set or clear security feature flags")
    Signed-off-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
    (cherry picked from commit 0f9bdfe3)
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    e89cb4d7
setup.c 23.1 KB